The Biggest Identity Risk for State and Local Agencies Isn’t a Person — It’s a Script

The proliferation of nonhuman identities—service accounts, automation scripts, API keys and AI agents—has reshaped the threat landscape for state and local governments. Unlike human users, these digital identities often lack the visibility afforded by multi‑factor authentication or periodic access reviews. Because they can be created in bulk to support modern cloud‑native applications, they frequently outnumber human accounts and remain unchecked, turning them into high‑value footholds for adversaries seeking to infiltrate government networks.

Attackers exploit the silent nature of these credentials by harvesting a single leaked key from a public code repository or an abandoned service account. Once obtained, the credential can be used to query citizen databases, modify storage buckets, or launch lateral movement without triggering typical security alerts that rely on interactive logins. The absence of MFA prompts and the ability to operate programmatically make detection difficult, allowing breaches to persist for weeks while exfiltrating sensitive data. Recent incidents have shown that a forgotten cloud access key can grant unrestricted read/write access to personal records, underscoring the urgency of addressing this blind spot.

Mitigating the risk starts with a focused inventory of all nonhuman identities in a critical system, assigning clear ownership, and retiring any orphaned accounts. From there, agencies should adopt robust secrets‑management solutions, enforce credential rotation, and transition to short‑lived or secret‑less authentication methods such as workload identity federation. Embedding these practices into a zero‑trust framework elevates nonhuman identities to first‑class assets, reducing the attack surface and enhancing overall cyber resilience. Proactive governance not only protects citizen data but also aligns government IT with emerging regulatory expectations.